How Click Fraud is threatening your profits, and what you can do to stop it. The complete guide

If you advertise with Google, Bing or Facebook then you’ll be familiar with their Pay Per Click (PPC) advertising model; you publish an advert, and whenever a potential customer clicks that ad your business is charged a small sum by the advertiser.

At least, that’s how it is supposed to work.

The truth is that potential customers aren’t the only people who will be clicking your adverts. Sometimes it may be curious competitors; folk looking for information with no intention of buying; or simple mis-clicks. However, regardless of the reason, you’ll be paying for every single one. These unwanted clicks are a natural part of the PPC landscape. However, they become a problem when the clicking is by one person or party, and becomes frequent. We refer to this behaviour as ‘click fraud‘.

Why click fraud is a very real threat to your advertising budget

Click fraud can be a serious threat to all businesses who advertise using the PPC model. Think not? Before Bunting we ran a software development company, which was targeted by a jealous competitor of our services. This person began clicking our ads up to 20 times a day, and, with our cost varying between £1 – £2 ($1.50 – $3) per click, our business was taken for a thousand pounds before we brought it under control.

We built Bunting originally for ourselves – to identify the attacker’s movements and stop them in their tracks. We learnt how to defend ourselves the hard way. This article will show you how you can defend yourself effectively, and avoid the trouble we had.

First thing to understand; Google’s protection alone is not enough

Google clearly identifies some fraudulent clicks in it’s Adwords panel as ‘invalid clicks’. However, this system is inadequate.

During our attack, the vast majority of the fraudster’s clicks were not identified as invalid, yet we were charged for these clicks anyway – just as you may be if you’re a target. The reason? Well I don’t know for sure. But I suspect Google are protecting their profits.

Adwords is Google’s primary revenue stream, generating approximately USD $42.5 billion in 2013 (http://investor.google.com/financial/2013/tables.html). It easy to recognise that they would lose millions, if not billions, if they ramped up their fraud identification software. In our experience, you should not place your entire faith in Google to defend you – you should take additional preventative action yourself.

You may be a victim – and not even know it yet

The worst part of click fraud is that you may be suffering as a victim, but not even know it yet. Without taking the correct steps, your competitors (or other maladjusted individuals) may be costing you hundreds or even thousands of pounds a month.

But don’t panic, for there are things that you can do to give yourself peace of mind, and – if you are being attacked – stop the fraud before it damages your profits further. This article is written to help take you through the steps that you need to do it yourself.

Alternatively, if you don’t want the hassle of writing software yourself to track click fraud then you can sign up to a dedicated fraud monitoring service, such as Bunting’s nice-and-easy fraud protection app.

Want to take on the challenge of writing click fraud monitoring software yourself? Our hats off to you! It’s no easy feat, but it can be an interesting experience, and this article will show you the basics of what you need to do. So without further ado, let’s get stuck in.

Step 1: Identifying any fraudsters attacking your website

First, you need to know if you’re being targeted by fraudsters. If your competitors are relatively small companies who also advertise on the same platform as you then it’s probably more likely that you will be.

To identify them you will first need to start profiling every visitor who arrives at your website via a paid ad. A common method of identifying a click from one of your Google ads is to watch for the ‘gclid’ query string in web addresses. Google appends this to all landing page URLs by default, so if your advert sends visitors tohttp://www.mysite.com/landing-page.html, then the actual link Google will send the visitors to will look something like this: http://www.mysite.com/landing-page.html?gclid=CPy78b8b0CFbdhtAodLHssA6Q

When you are identifying clicks it is very important that you avoid a common mistake that even some dedicated click fraud tools made, as identified in this insightful report by Google themselves: http://tinyurl.com/mks9sov. In summary, you need to ensure that unique clicks are only recorded once each. So, for example; if a visitor clicks through to the landing page of your website (one click); then moves to a second page; then presses back to return to the original landing page – this return to the landing page is not identified as another click. Sounds simple, but like I said, Google already identified several dedicated click fraud identification apps as having made this catastrophic mistake. The result? Your reports may show vastly inflated click numbers that Google will quite rightly challenge if you approach them for a refund.

For your click fraud tracking software to work, it must be able to maintain and recall one profile per visitor, despite how many times they return, and how often. Bunting uses a complex algorithm, which takes many factors into account, but the primary two means of identification that your software should use are IP addresses and 1st party tracking cookies (a good introduction comparing first vs third party tracking cookies can be found here: http://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies). The complete movements of every single visitor to your website must be recorded.

When your profiling software is built, and is correctly monitoring each ad click, you should then write an algorithm to identify unusual and unnatural ad click behaviour from normal clicking behaviour. Remember: some genuine shoppers may click your ads several times in the process of gathering information and comparing your products to those of your competitors. It is not uncommon for some indecisive customers to click an ad you created some 10 times or more. Therefore, it’s important that your software is able to identify genuinely suspicious behaviour from normal shopping behaviour as accurately as possible. Afterall, you don’t want to wrongly identify (and potentially accuse) a genuine customer as being a fraudster!

Again, Bunting uses many factors within it’s algorithm to identify a fraudster. If you wish to build the software yourself, then your software should at least take into account all of the following metrics:

The number of ad clicks by each suspect

The amount of time between clicks

The keywords being searched for

The duration of ad click visits

Whether the visitor has made a purchase already

The country of origin based on the visitor’s IP address

Whether they’re using a static IP address or a dynamic IP

When your software has identified a potential click fraudster, it’s time to do something about it.

Step 2: Taking action against a click fraudster

There are a number of actions that you can take against fraudulent click activity. The main three are listed below.

2.1: Communicating with a click fraudster

If, like Bunting, you have built your software to record any information that the suspect has entered into your website, then they may have given you their email address already, unaware that their activity is being monitored. A common occurrence is a competitor entering their email address into your newsletter subscription box (presumably to spy on your current offers and advertising methods). If this is the case, try emailing them! Your style of message is up to you, but I’d suggest always remaining professional, and keeping any threats of legal action out of communications unless the fraud continues despite unsuccessful requests for them to stop it.

If you don’t have an email address to contact the person on then you could set up a website-based message that appears the next time they visit your website. With Bunting this is easy to write in just a few clicks. In your own software it’ll be a little more challenging to program, but not too difficult compared to the task of actually identifying the fraudster in the first place. Simply write your software to show a message (within a Javascript alert box, or a lightbox) that will appear whenever suspect next visits.

In these circumstances you won’t often know the identify of the fraudster, so I’d recommend keeping it friendly; thank them for visiting your website and ask them to bookmark it for future visits as it helps reduce your advertising bill (and thus the cost you charge them). That way, even if you had mis-identified a genuine customer as a fraudster then you’re remaining professional and friendly. If the suspect persists in clicking your ads you can become progressively more forceful in your message, in a means you feel appropriate.

2.2: Requesting a refund from your advertiser

All major advertisers, such as Google, Bing and Facebook, will have a fraud response team, who should provide you with full refund, as long as you can demonstrate which clicks you suspect as being fraudulent, and show a pattern. You should therefore write your software to produce click fraud refund reports.

Within this report, only include the clicks that you suspect to be fraudulent. Include as much detail as possible, including:

The exact time of each click

The landing page URLs

The IP address recorded by the visitor

The keywords used

Generally speaking, the more information you can provide, the better. Google and other advertisers may contest the information you provide, but generally speaking, if you help them identify fraud, they will co-operate and provide a refund.

2.3: Blocking the click fraudster from seeing your ads

Within platforms such as Google Adwords you can block certain IP addresses from seeing your ads. If a suspect uses a static IP address, which doesn’t change regularly, then you can access your Google Adwords account and exclude their IP address. Your ads will then not be shown to that suspect, effectively stopping the click fraud in its tracks. This is by far the best method of preventing click fraud, but only works when the suspect is using a static IP address. In the event of a suspect using a dynamic IP address which changes regularly, you will either need to begin entering each new IP as and when the suspect clicks your ads and provides you with it, or use one of the other two methods, above.

Step 3: Who actually is this person who’s attacking me?!

We asked ourselves this question many times when we were victims of click fraud. If you’re being attacked then it will be one of the most enduring questions that will dog you. There are some ways to identify the real-world identity of the fraudster, but they all require you to have a suspect in mind.

In our case we were already acquainted with the individual that we suspected of the fraud, via general business correspondence. We also knew that they’d been on pre-release pages of our website that, at the time, only we and they would know about. Searching our server logs would probably contain a record of their IP address. It did, and we were successfully able to match the machine of the person we suspected with that of the anonymous fraudster. We knew we’d caught our crook red-handed. We subsequently challenged the individual about this, who confirmed their clicking on our ads (with a poor excuse that it was “market research”) and stopped their activity.

There are other similar ways of identifying fraudsters. For example, you could cross reference the IP address of any emails sent to you by the suspect, assuming of course that they’ve emailed you before. This won’t work with everyone. Certain applications such as Gmail use their own IP addresses, thus hiding the IP of the sender. Others don’t, and will let you capture the suspect’s IP address for referencing. However it’s worth a try.

Conclusion

As an advertiser with a finite budget, it’s important that you are proactive in protecting yourself against online fraud. You shouldn’t leave it to your advertising platform to protect you. This isn’t to say you should ignore your advertiser’s recommendations, and the information they’re giving you. Rather, you should also employ a secondary method of protecting yourself, whether it be writing a piece of software as described above, or utilising a third party fraud protection application, such as Bunting.

By removing click fraud from your advertising campaigns you won’t just lower your cost per acquisition, increase your conversion rate, and improve your profits – you’ll be able to sleep well at night in the knowledge that your money is being spent where it will be best put to good use – in advertising, not wasted at the hands of others.